Conventionally, so-called built-in apparatuses, such as a multifunction peripheral, include one that once shuts down the system thereof when updating firmware, starts the system in another mode so as to update the firmware, and then updates the firmware of the system. A technique for updating the firmware of the multifunction peripheral has been proposed e.g. in PTL (Patent Literature) 1. PTL (Patent Literature) 1 discloses a multifunction peripheral which has a main program for operation as the multifunction peripheral, and a sub program for updating the main program. When updating the firmware of the multifunction peripheral, the main program is operated to acquire update data from a server apparatus or the like, and after rebooting the system, the sub program is operated to update the main program. When the update is completed, the system is rebooted again to operate the updated main program.
In the above-described update of the firmware, there is a fear that the update of the main program, if carelessly performed using update data subjected to unauthorized alteration, allows unauthorized firmware to be installed in the built-in apparatus. To prevent the update using unauthorized firmware, there has been conventionally employed a method of verifying the firmware for update using a signature or the like to thereby confirm its validity (authenticity and integrity), and then updating the firmware.
However, unless this firmware verification function properly functions, due to a failure or unauthorized alteration, it is impossible to prevent unauthorized firmware from being installed in the apparatus. To solve this problem, as a method of checking validity of the firmware verification function, there has been proposed e.g. PTL (Patent Literature) 2. According to PTL (Patent Literature) 2, a plurality of update modules existing in the image forming apparatus mutually verify whether or not each module is free from unauthorized alteration, and transmit the verification results to a management apparatus. The management apparatus disables an update module which is determined to be invalid based on the received verification results. This makes it possible to prevent an invalid update module from operating.